This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
GigaYang
Collaborator
‎2023-07-24 09:18 AM
Jump to solution

NAT problem

Due to certain reasons. The previous administrator set several manual NAT rules (Rule6~10) on the firewall.

We want the host 172.16.224.109 to connect to the Internet through the third External interface (WAN3) of the firewall. And we set a PBR as the default route of the host.

But because of the influence of Manual NAT rule rule9. This makes it impossible for us to directly set Hide NAT to allow the host to connect to the Internet. Instead, a manual Hide NAT rule (Rule5) must be added to this rule.

After adding the NAT rule of Rule5, 172.16.224.109 can already access the Internet. But the strange thing is that after adding the NAT rule, I have to wait for several minutes before I can connect to the Internet. And when we remove the NAT, we have to wait for a few minutes before the connection is disconnected.

Wondering if anyone else has encountered a similar situation?

Labels
Preview file
18 KB
Preview file
10 KB
0 Kudos
1 Solution

Accepted Solutions
Timothy_Hall
MVP Gold
MVP Gold
‎2023-07-25 11:21 AM
In response to GigaYang
Jump to solution

Existing connections that are NATted will keep using the same NAT, even if policy is reinstalled with rules specifying a different NAT address/rule for that connection.  The NAT address to use is determined right after the Firewall/Network policy accept of the first packet and cannot be changed for the life of the connection.  Only newly-initiated connections will use the newer rule. 

What is probably happening is your DNS servers are sending DNS UDP requests to an ISP forwarder, which is tracked as a "connection" by the firewall.  Even if you change the NAT rule and reinstall policy all those packets will still have the old NAT applied until the DNS "connection" ends and a new one starts.  This would be a use case for clearing the NAT table as described earlier in the thread.  

A better way to do this without deleting more than necessary is to add a new SAM rule matching the connection attributes in the SmartView Monitor (or fw sam) and making sure "close connections" is set.  Simply apply the SAM rule, then immediately remove it to force new connections (with the new NAT) to start.

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course

View solution in original post

0 Kudos
6 Replies
the_rock
MVP Platinum
MVP Platinum
‎2023-07-24 10:31 AM
Jump to solution

I recall customer having similar issue once and they just clearned NAT table, waited few mins, then all worked fine.

Andy

fw tab -t fwx_alloc -x from expert mode

Best,
Andy
0 Kudos
GigaYang
Collaborator
‎2023-07-24 02:06 PM
In response to the_rock
Jump to solution

Thanks for your kindly reply.

May I ask under what circumstances do we need to manually clear the NAT Cache? And will other service connections be affected when manually cleaned up?

0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2023-07-24 03:51 PM
In response to GigaYang
Jump to solution

Make sure to do it in maintenance mode, as any connections having to do with NAT, would be disrupted.

Andy

Best,
Andy
0 Kudos
Timothy_Hall
MVP Gold
MVP Gold
‎2023-07-25 11:21 AM
In response to GigaYang
Jump to solution

Existing connections that are NATted will keep using the same NAT, even if policy is reinstalled with rules specifying a different NAT address/rule for that connection.  The NAT address to use is determined right after the Firewall/Network policy accept of the first packet and cannot be changed for the life of the connection.  Only newly-initiated connections will use the newer rule. 

What is probably happening is your DNS servers are sending DNS UDP requests to an ISP forwarder, which is tracked as a "connection" by the firewall.  Even if you change the NAT rule and reinstall policy all those packets will still have the old NAT applied until the DNS "connection" ends and a new one starts.  This would be a use case for clearing the NAT table as described earlier in the thread.  

A better way to do this without deleting more than necessary is to add a new SAM rule matching the connection attributes in the SmartView Monitor (or fw sam) and making sure "close connections" is set.  Simply apply the SAM rule, then immediately remove it to force new connections (with the new NAT) to start.

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course
0 Kudos
GigaYang
Collaborator
‎2023-07-26 06:32 AM
In response to Timothy_Hall
Jump to solution

After add SAM rule. The traffic will be correctly applied to the new NAT settings.

But is this problem possibly caused by too much content in the NAT Table? I have never encountered similar problems when setting Manual NAT rules on other Checkpoint firewalls.

We checked the device status and the memory usage is not high.

Preview file
11 KB
0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2023-07-26 10:59 AM
In response to GigaYang
Jump to solution

That is why I mentioned clearing NAT table would not be a bad idea.

Andy

Best,
Andy
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events